Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2024 02:54
Static task
static1
Behavioral task
behavioral1
Sample
3fb54645fba660ad5c6824ccff364832.exe
Resource
win7-20231215-en
General
-
Target
3fb54645fba660ad5c6824ccff364832.exe
-
Size
543KB
-
MD5
3fb54645fba660ad5c6824ccff364832
-
SHA1
107f0844fc867bda1b7f664421c92712bc2a9a5b
-
SHA256
de05db338a5854f13a46e498a6ba4484b7bd47062ed3adae9a93bb8cc767d3d9
-
SHA512
ae80fe134835548a3684a2f68248a2e55a9a1db096e0a014a8fd56173141b8a11b6f07ec982f4b096436250b9ff22edf8c9d7f6439a07ce3e8f9735a94abf339
-
SSDEEP
12288:F1Gt75Q2a/P457JGNor4kLNpJDg8RFdn5nHhhTUUmviVn0woO:k75a/PIdGiLNvJRZhFhgiE
Malware Config
Extracted
vidar
39.9
706
https://prophefliloc.tumblr.com/
-
profile_id
706
Signatures
-
Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1912-2-0x0000000004A10000-0x0000000004AAD000-memory.dmp family_vidar behavioral2/memory/1912-3-0x0000000000400000-0x0000000002CBF000-memory.dmp family_vidar behavioral2/memory/1912-19-0x0000000000400000-0x0000000002CBF000-memory.dmp family_vidar behavioral2/memory/1912-66-0x0000000000400000-0x0000000002CBF000-memory.dmp family_vidar behavioral2/memory/1912-67-0x0000000004A10000-0x0000000004AAD000-memory.dmp family_vidar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3fb54645fba660ad5c6824ccff364832.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 3fb54645fba660ad5c6824ccff364832.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3fb54645fba660ad5c6824ccff364832.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3fb54645fba660ad5c6824ccff364832.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3fb54645fba660ad5c6824ccff364832.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1892 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1540 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
3fb54645fba660ad5c6824ccff364832.exepid process 1912 3fb54645fba660ad5c6824ccff364832.exe 1912 3fb54645fba660ad5c6824ccff364832.exe 1912 3fb54645fba660ad5c6824ccff364832.exe 1912 3fb54645fba660ad5c6824ccff364832.exe 1912 3fb54645fba660ad5c6824ccff364832.exe 1912 3fb54645fba660ad5c6824ccff364832.exe 1912 3fb54645fba660ad5c6824ccff364832.exe 1912 3fb54645fba660ad5c6824ccff364832.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1540 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3fb54645fba660ad5c6824ccff364832.execmd.exedescription pid process target process PID 1912 wrote to memory of 4636 1912 3fb54645fba660ad5c6824ccff364832.exe cmd.exe PID 1912 wrote to memory of 4636 1912 3fb54645fba660ad5c6824ccff364832.exe cmd.exe PID 1912 wrote to memory of 4636 1912 3fb54645fba660ad5c6824ccff364832.exe cmd.exe PID 4636 wrote to memory of 1540 4636 cmd.exe taskkill.exe PID 4636 wrote to memory of 1540 4636 cmd.exe taskkill.exe PID 4636 wrote to memory of 1540 4636 cmd.exe taskkill.exe PID 4636 wrote to memory of 1892 4636 cmd.exe timeout.exe PID 4636 wrote to memory of 1892 4636 cmd.exe timeout.exe PID 4636 wrote to memory of 1892 4636 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe"C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 3fb54645fba660ad5c6824ccff364832.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe" & del C:\ProgramData\*.dll & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im 3fb54645fba660ad5c6824ccff364832.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:1892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209B
MD5400f4a9df16c57408a470f8824d1b0db
SHA11c4303b161495e1ac9e8b45dc17d48ec8ef32ed0
SHA256a2ead324e8fb1bf569d026d0976f83d2bf9d2162151ddc8ef0d5a58ccc5e168c
SHA512a91f8f813d09621541f85f87ce9069f3da3e871d6c69255a023d7dca8f7a8b0e4aca51929837c5a3d3656a84f12285530d3f56cbcb01d09a94a420469bf308ba
-
Filesize
209B
MD55d21ca36b78ecb220e2548020bc15ed7
SHA1d4103638ab888429cdb7fd86d19f5778892352ac
SHA256023c3490c339e79524933c9f6f09c9882c2f8f9a4093ceeb8ec08c4e25f7ab2e
SHA512a256b73741b3103d8f7938bcd7222c98f29d6d040df9795a10143c4aa1cced388dd343b2221b4aab2a30bda8b60db342aa1d6bac0db685107cba1bdd96595ced
-
Filesize
210B
MD5fa4fb3509396425b35c3bd4a11aca709
SHA1f69e03b83b5a714de42a727b3fa97dfe725193ae
SHA2568eb400d985182a0458c0518cba4b4d9eff1fb9904acadcbb6c8a8d0567c69393
SHA512c23c7e848be36cad5c041c170bd1402c9907ed2c9818cc19d9124bb4b95da96b70419da05b3d94375d45896b7cf5beb06fe6ea823495e4d93877b16f1c4f54ae
-
Filesize
206B
MD581fd90a928ef821dfadc577370c2523c
SHA106e88b20550f1e65077025ba1cde98528751bc13
SHA25679828ce5c456dd06feb743bf1f452c61ef800a52112cda3ce16f67cb25dbb1d8
SHA512cb989ecf19563594bc74b6898e621897f2a197e292fb6d99a1e411bbe649e8481bcc47af0b7a5c9625549fa8d99bf1250d72033ccdf41d4207bad0928f75c673
-
Filesize
210B
MD5fd5d75c4ab3ba343a378324d9b05bbff
SHA19b31507eee93eb2e6fee07889f008f9668d14dd3
SHA25663365e7603f9cac52ff6ccc52a83436cf8073a6a97491fd3c5a2ccc52088b7dd
SHA51281e59c3670b7f4bc2eb60e1966607a57dfabb891d667c9bde57c5ab6d4c84d7358af5ae55fdac7555e147d6d228358639be735e792f59d1d776a4ffa053bdc5d
-
Filesize
214B
MD5f87daed56fdfea78c2ed2566f440bada
SHA1db707626249bbd4424fe896c29cb207136f096a7
SHA2563896a4c4b6796f244b4c038a504f07455dd482f6f778c6355fa73e50fb541cb8
SHA5123c6dbf313a2d5894fec53b9ed99cbad648a9897f00434ed24c2f60e34142e480c6593c40859905e892e581d9834f3d186400f58c05de40b5ac60488c3ce9a395